[Piuparts-devel] [Git][debian/piuparts][develop] provide a basic /dev tree even in unprivileged namespaces

Nicolas Dandrimont (@olasd) gitlab at salsa.debian.org
Thu Nov 23 11:22:55 GMT 2023



Nicolas Dandrimont pushed to branch develop at Debian / piuparts


Commits:
aa916c1e by Helmut Grohne at 2023-11-23T12:18:07+01:00
provide a basic /dev tree even in unprivileged namespaces

Most piuparts environments will provide a working /dev tree. For
instance, a pbuilder base.tgz contains them. As does a schroot tree.
Likewise, docker will set up devices. Even debootstrap will create them.
However when running piuparts in an unprivileged namespace, debootstrap
cannot create them (and can be made to work by exporting container=lxc).
Similarly, when passing a device-less base.tgz for an unprivileged
namespace they are missing. While piuparts previously created /dev/null,
this is bound to fail with -EPERM. In that case, individual device nodes
need to be bind mounted. Since such bind mounting is not preferred for
the other variants, we try creating missing devices first.

- - - - -


1 changed file:

- piuparts.py


Changes:

=====================================
piuparts.py
=====================================
@@ -35,6 +35,7 @@ from __future__ import print_function
 VERSION = "__PIUPARTS_VERSION__"
 
 
+import errno
 import json
 import logging
 import optparse
@@ -1173,10 +1174,53 @@ class Chroot:
         self.create_dpkg_conf()
         self.create_policy_rc_d()
         self.create_resolv_conf()
+
+        # Most environments will have devices set up. Unprivileged namespaces do
+        # not. Ensure presence of devices while not clobbering existing ones.
+        # Set of devices taken from https://systemd.io/CONTAINER_INTERFACE/
+        chardevices = {
+            "null": os.makedev(1, 3),
+            "zero": os.makedev(1, 5),
+            "full": os.makedev(1, 7),
+            "random": os.makedev(1, 8),
+            "urandom": os.makedev(1, 9),
+            "tty": os.makedev(5, 0),
+        }
+        for devname, devnum in chardevices.items():
+            devname = "/dev/" + devname
+            isdevice = False
+            try:
+                isdevice = stat.S_ISCHR(os.stat(self.name + devname).st_mode)
+            except FileNotFoundError:
+                # Try creating missing devices. If that fails with -EPERM, we
+                # likely are in an unprivileged namespace and resort to bind
+                # mounting them individually.
+                try:
+                    os.mknod(self.name + devname, stat.S_IFCHR | 0o666, devnum)
+                    isdevice = True
+                except OSError as err:
+                    if err.errno != errno.EPERM:
+                        raise
+                    # Create a regular file to serve as a mount point.
+                    os.mknod(self.name + devname, stat.S_IFREG)
+            if not isdevice:
+                self.mount(devname, devname, opts=["bind"])
+
+        symlinks = {
+            "fd": "/proc/self/fd",
+            "stdin": "/proc/self/fd/0",
+            "stdout": "/proc/self/fd/1",
+            "stderr": "/proc/self/fd/2",
+        }
+        for linkname, linktarget in symlinks.items():
+            linkname = self.name + "/dev/" + linkname
+            try:
+                os.lstat(linkname)
+            except FileNotFoundError:
+                os.symlink(linktarget, linkname)
+
         for bindmount in settings.bindmounts:
             self.mount(bindmount, bindmount, opts=["rbind"])
-        if not os.path.exists(self.name + '/dev/null'):
-            run(['mknod', '-m' ,'666', self.name + '/dev/null', 'c', '1', '3'])
 
     def remember_available_md5(self):
         """Keep a history of 'apt-cache dumpavail | md5sum' after initial



View it on GitLab: https://salsa.debian.org/debian/piuparts/-/commit/aa916c1eabdc1579fc31e7ff12254df478cc9a14

-- 
View it on GitLab: https://salsa.debian.org/debian/piuparts/-/commit/aa916c1eabdc1579fc31e7ff12254df478cc9a14
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/piuparts-devel/attachments/20231123/c1e77b40/attachment-0001.htm>


More information about the Piuparts-devel mailing list